Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 1 | #!/bin/sh |
| 2 | # |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 3 | # ssh-host-config, Copyright 2000, Red Hat Inc. |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 4 | # |
| 5 | # This file is part of the Cygwin port of OpenSSH. |
| 6 | |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 7 | # Subdirectory where the new package is being installed |
| 8 | PREFIX=/usr |
| 9 | |
| 10 | # Directory where the config files are stored |
| 11 | SYSCONFDIR=/etc |
| 12 | |
| 13 | # Subdirectory where an old package might be installed |
| 14 | OLDPREFIX=/usr/local |
| 15 | OLDSYSCONFDIR=${OLDPREFIX}/etc |
| 16 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 17 | progname=$0 |
| 18 | auto_answer="" |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 19 | port_number=22 |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 20 | |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 21 | privsep_configured=no |
| 22 | privsep_used=yes |
| 23 | sshd_in_passwd=no |
| 24 | sshd_in_sam=no |
| 25 | |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 26 | request() |
| 27 | { |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 28 | if [ "${auto_answer}" = "yes" ] |
| 29 | then |
| 30 | return 0 |
| 31 | elif [ "${auto_answer}" = "no" ] |
| 32 | then |
| 33 | return 1 |
| 34 | fi |
| 35 | |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 36 | answer="" |
| 37 | while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] |
| 38 | do |
| 39 | echo -n "$1 (yes/no) " |
| 40 | read answer |
| 41 | done |
| 42 | if [ "X${answer}" = "Xyes" ] |
| 43 | then |
| 44 | return 0 |
| 45 | else |
| 46 | return 1 |
| 47 | fi |
| 48 | } |
| 49 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 50 | # Check options |
| 51 | |
| 52 | while : |
| 53 | do |
| 54 | case $# in |
| 55 | 0) |
| 56 | break |
| 57 | ;; |
| 58 | esac |
| 59 | |
| 60 | option=$1 |
| 61 | shift |
| 62 | |
| 63 | case "$option" in |
| 64 | -d | --debug ) |
| 65 | set -x |
| 66 | ;; |
| 67 | |
| 68 | -y | --yes ) |
| 69 | auto_answer=yes |
| 70 | ;; |
| 71 | |
| 72 | -n | --no ) |
| 73 | auto_answer=no |
| 74 | ;; |
| 75 | |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 76 | -p | --port ) |
| 77 | port_number=$1 |
| 78 | shift |
| 79 | ;; |
| 80 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 81 | *) |
| 82 | echo "usage: ${progname} [OPTION]..." |
| 83 | echo |
| 84 | echo "This script creates an OpenSSH host configuration." |
| 85 | echo |
| 86 | echo "Options:" |
| 87 | echo " --debug -d Enable shell's debug output." |
| 88 | echo " --yes -y Answer all questions with \"yes\" automatically." |
| 89 | echo " --no -n Answer all questions with \"no\" automatically." |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 90 | echo " --port -p <n> sshd listens on port n." |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 91 | echo |
| 92 | exit 1 |
| 93 | ;; |
| 94 | |
| 95 | esac |
| 96 | done |
| 97 | |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 98 | # Check if running on NT |
| 99 | _sys="`uname -a`" |
| 100 | _nt=`expr "$_sys" : "CYGWIN_NT"` |
| 101 | |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 102 | # Check for running ssh/sshd processes first. Refuse to do anything while |
| 103 | # some ssh processes are still running |
| 104 | |
| 105 | if ps -ef | grep -v grep | grep -q ssh |
| 106 | then |
| 107 | echo |
| 108 | echo "There are still ssh processes running. Please shut them down first." |
| 109 | echo |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 110 | #exit 1 |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 111 | fi |
| 112 | |
| 113 | # Check for ${SYSCONFDIR} directory |
| 114 | |
| 115 | if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] |
| 116 | then |
| 117 | echo |
| 118 | echo "${SYSCONFDIR} is existant but not a directory." |
| 119 | echo "Cannot create global configuration files." |
| 120 | echo |
| 121 | exit 1 |
| 122 | fi |
| 123 | |
| 124 | # Create it if necessary |
| 125 | |
| 126 | if [ ! -e "${SYSCONFDIR}" ] |
| 127 | then |
| 128 | mkdir "${SYSCONFDIR}" |
| 129 | if [ ! -e "${SYSCONFDIR}" ] |
| 130 | then |
| 131 | echo |
| 132 | echo "Creating ${SYSCONFDIR} directory failed" |
| 133 | echo |
| 134 | exit 1 |
| 135 | fi |
| 136 | fi |
| 137 | |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 138 | # Create /var/log and /var/log/lastlog if not already existing |
| 139 | |
| 140 | if [ -f /var/log ] |
| 141 | then |
| 142 | echo "Creating /var/log failed\!" |
| 143 | else |
| 144 | if [ ! -d /var/log ] |
| 145 | then |
| 146 | mkdir -p /var/log |
| 147 | fi |
| 148 | if [ -d /var/log/lastlog ] |
| 149 | then |
| 150 | echo "Creating /var/log/lastlog failed\!" |
| 151 | elif [ ! -f /var/log/lastlog ] |
| 152 | then |
| 153 | cat /dev/null > /var/log/lastlog |
| 154 | fi |
| 155 | fi |
| 156 | |
| 157 | # Create /var/empty file used as chroot jail for privilege separation |
| 158 | if [ -f /var/empty ] |
| 159 | then |
| 160 | echo "Creating /var/empty failed\!" |
| 161 | else |
| 162 | mkdir -p /var/empty |
| 163 | # On NT change ownership of that dir to user "system" |
| 164 | if [ $_nt -gt 0 ] |
| 165 | then |
| 166 | chown system.system /var/empty |
| 167 | fi |
| 168 | fi |
| 169 | |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 170 | # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't |
| 171 | # the same as ${PREFIX} |
| 172 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 173 | old_install=0 |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 174 | if [ "${OLDPREFIX}" != "${PREFIX}" ] |
| 175 | then |
| 176 | if [ -f "${OLDPREFIX}/sbin/sshd" ] |
| 177 | then |
| 178 | echo |
| 179 | echo "You seem to have an older installation in ${OLDPREFIX}." |
| 180 | echo |
| 181 | # Check if old global configuration files exist |
| 182 | if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] |
| 183 | then |
| 184 | if request "Do you want to copy your config files to your new installation?" |
| 185 | then |
| 186 | cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} |
| 187 | cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} |
| 188 | cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} |
| 189 | cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} |
| 190 | cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} |
| 191 | cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} |
| 192 | fi |
| 193 | fi |
| 194 | if request "Do you want to erase your old installation?" |
| 195 | then |
| 196 | rm -f ${OLDPREFIX}/bin/ssh.exe |
| 197 | rm -f ${OLDPREFIX}/bin/ssh-config |
| 198 | rm -f ${OLDPREFIX}/bin/scp.exe |
| 199 | rm -f ${OLDPREFIX}/bin/ssh-add.exe |
| 200 | rm -f ${OLDPREFIX}/bin/ssh-agent.exe |
| 201 | rm -f ${OLDPREFIX}/bin/ssh-keygen.exe |
| 202 | rm -f ${OLDPREFIX}/bin/slogin |
| 203 | rm -f ${OLDSYSCONFDIR}/ssh_host_key |
| 204 | rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub |
| 205 | rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key |
| 206 | rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub |
| 207 | rm -f ${OLDSYSCONFDIR}/ssh_config |
| 208 | rm -f ${OLDSYSCONFDIR}/sshd_config |
| 209 | rm -f ${OLDPREFIX}/man/man1/ssh.1 |
| 210 | rm -f ${OLDPREFIX}/man/man1/scp.1 |
| 211 | rm -f ${OLDPREFIX}/man/man1/ssh-add.1 |
| 212 | rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 |
| 213 | rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 |
| 214 | rm -f ${OLDPREFIX}/man/man1/slogin.1 |
| 215 | rm -f ${OLDPREFIX}/man/man8/sshd.8 |
| 216 | rm -f ${OLDPREFIX}/sbin/sshd.exe |
| 217 | rm -f ${OLDPREFIX}/sbin/sftp-server.exe |
| 218 | fi |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 219 | old_install=1 |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 220 | fi |
| 221 | fi |
| 222 | |
| 223 | # First generate host keys if not already existing |
| 224 | |
| 225 | if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] |
| 226 | then |
| 227 | echo "Generating ${SYSCONFDIR}/ssh_host_key" |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 228 | ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null |
| 229 | fi |
| 230 | |
| 231 | if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] |
| 232 | then |
| 233 | echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key" |
| 234 | ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 235 | fi |
| 236 | |
| 237 | if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] |
| 238 | then |
| 239 | echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 240 | ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 241 | fi |
| 242 | |
| 243 | # Check if ssh_config exists. If yes, ask for overwriting |
| 244 | |
| 245 | if [ -f "${SYSCONFDIR}/ssh_config" ] |
| 246 | then |
| 247 | if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" |
| 248 | then |
| 249 | rm -f "${SYSCONFDIR}/ssh_config" |
| 250 | if [ -f "${SYSCONFDIR}/ssh_config" ] |
| 251 | then |
| 252 | echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." |
| 253 | fi |
| 254 | fi |
| 255 | fi |
| 256 | |
| 257 | # Create default ssh_config from here script |
| 258 | |
| 259 | if [ ! -f "${SYSCONFDIR}/ssh_config" ] |
| 260 | then |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 261 | echo "Generating ${SYSCONFDIR}/ssh_config file" |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 262 | cat > ${SYSCONFDIR}/ssh_config << EOF |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 263 | # This is the ssh client system-wide configuration file. See |
| 264 | # ssh_config(5) for more information. This file provides defaults for |
| 265 | # users, and the values can be changed in per-user configuration files |
| 266 | # or on the command line. |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 267 | |
| 268 | # Configuration data is parsed as follows: |
| 269 | # 1. command line options |
| 270 | # 2. user-specific file |
| 271 | # 3. system-wide file |
| 272 | # Any configuration value is only changed the first time it is set. |
| 273 | # Thus, host-specific definitions should be at the beginning of the |
| 274 | # configuration file, and defaults at the end. |
| 275 | |
| 276 | # Site-wide defaults for various options |
| 277 | |
| 278 | # Host * |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 279 | # ForwardAgent no |
| 280 | # ForwardX11 no |
| 281 | # RhostsAuthentication no |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 282 | # RhostsRSAAuthentication no |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 283 | # RSAAuthentication yes |
| 284 | # PasswordAuthentication yes |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 285 | # BatchMode no |
| 286 | # CheckHostIP yes |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 287 | # StrictHostKeyChecking ask |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 288 | # IdentityFile ~/.ssh/identity |
| 289 | # IdentityFile ~/.ssh/id_dsa |
| 290 | # IdentityFile ~/.ssh/id_rsa |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 291 | # Port 22 |
| 292 | # Protocol 2,1 |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 293 | # Cipher 3des |
| 294 | # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 295 | # EscapeChar ~ |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 296 | EOF |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 297 | if [ "$port_number" != "22" ] |
| 298 | then |
| 299 | echo "Host localhost" >> ${SYSCONFDIR}/ssh_config |
| 300 | echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config |
| 301 | fi |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 302 | fi |
| 303 | |
| 304 | # Check if sshd_config exists. If yes, ask for overwriting |
| 305 | |
| 306 | if [ -f "${SYSCONFDIR}/sshd_config" ] |
| 307 | then |
| 308 | if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" |
| 309 | then |
| 310 | rm -f "${SYSCONFDIR}/sshd_config" |
| 311 | if [ -f "${SYSCONFDIR}/sshd_config" ] |
| 312 | then |
| 313 | echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." |
| 314 | fi |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 315 | else |
| 316 | grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 317 | fi |
| 318 | fi |
| 319 | |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 320 | # Prior to creating or modifying sshd_config, care for privilege separation |
| 321 | |
| 322 | if [ "$privsep_configured" != "yes" ] |
| 323 | then |
| 324 | if [ $_nt -gt 0 ] |
| 325 | then |
| 326 | echo "Privilege separation is set to yes by default since OpenSSH 3.3." |
| 327 | echo "However, this requires a non-privileged account called 'sshd'." |
| 328 | echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." |
| 329 | echo |
| 330 | if request "Shall privilege separation be used?" |
| 331 | then |
| 332 | privsep_used=yes |
| 333 | grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes |
| 334 | net user sshd >/dev/null 2>&1 && sshd_in_sam=yes |
| 335 | if [ "$sshd_in_passwd" != "yes" ] |
| 336 | then |
| 337 | if [ "$sshd_in_sam" != "yes" ] |
| 338 | then |
| 339 | echo "Warning: The following function requires administrator privileges!" |
| 340 | if request "Shall this script create a local user 'sshd' on this machine?" |
| 341 | then |
| 342 | dos_var_empty=`cygpath -w /var/empty` |
| 343 | net user sshd /add /fullname:"sshd privsep" "/HOMEDIR:$dos_var_empty" > /dev/null 2>&1 && sshd_in_sam=yes |
| 344 | if [ "$sshd_in_sam" != "yes" ] |
| 345 | then |
| 346 | echo "Warning: Creating the user 'sshd' failed!" |
| 347 | fi |
| 348 | fi |
| 349 | fi |
| 350 | if [ "$sshd_in_sam" != "yes" ] |
| 351 | then |
| 352 | echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" |
| 353 | echo " Privilege separation set to 'no' again!" |
| 354 | echo " Check your ${SYSCONFDIR}/sshd_config file!" |
| 355 | privsep_used=no |
| 356 | else |
| 357 | mkpasswd -l -u sshd >> ${SYSCONFDIR}/passwd |
| 358 | fi |
| 359 | fi |
| 360 | else |
| 361 | privsep_used=no |
| 362 | fi |
| 363 | else |
| 364 | # On 9x don't use privilege separation. Since security isn't |
| 365 | # available it just adds useless addtional processes. |
| 366 | privsep_used=no |
| 367 | fi |
| 368 | fi |
| 369 | |
| 370 | # Create default sshd_config from here script or modify to add the |
| 371 | # missing privsep configuration option |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 372 | |
| 373 | if [ ! -f "${SYSCONFDIR}/sshd_config" ] |
| 374 | then |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 375 | echo "Generating ${SYSCONFDIR}/sshd_config file" |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 376 | cat > ${SYSCONFDIR}/sshd_config << EOF |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 377 | # This is the sshd server system-wide configuration file. See |
| 378 | # sshd_config(5) for more information. |
| 379 | |
| 380 | # The strategy used for options in the default sshd_config shipped with |
| 381 | # OpenSSH is to specify options with their default value where |
| 382 | # possible, but leave them commented. Uncommented options change a |
| 383 | # default value. |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 384 | |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 385 | Port $port_number |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 386 | #Protocol 2,1 |
| 387 | #ListenAddress 0.0.0.0 |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 388 | #ListenAddress :: |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 389 | |
| 390 | # HostKey for protocol version 1 |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 391 | #HostKey ${SYSCONFDIR}/ssh_host_key |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 392 | # HostKeys for protocol version 2 |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 393 | #HostKey ${SYSCONFDIR}/ssh_host_rsa_key |
| 394 | #HostKey ${SYSCONFDIR}/ssh_host_dsa_key |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 395 | |
| 396 | # Lifetime and size of ephemeral version 1 server ke |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 397 | #KeyRegenerationInterval 3600 |
| 398 | #ServerKeyBits 768 |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 399 | |
| 400 | # Logging |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 401 | #obsoletes QuietMode and FascistLogging |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 402 | #SyslogFacility AUTH |
| 403 | #LogLevel INFO |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 404 | |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 405 | # Authentication: |
| 406 | |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 407 | #LoginGraceTime 600 |
| 408 | #PermitRootLogin yes |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 409 | # The following setting overrides permission checks on host key files |
| 410 | # and directories. For security reasons set this to "yes" when running |
| 411 | # NT/W2K, NTFS and CYGWIN=ntsec. |
| 412 | StrictModes no |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 413 | |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 414 | #RSAAuthentication yes |
| 415 | #PubkeyAuthentication yes |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 416 | #AuthorizedKeysFile %h/.ssh/authorized_keys |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 417 | |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 418 | # rhosts authentication should not be used |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 419 | #RhostsAuthentication no |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 420 | # Don't read ~/.rhosts and ~/.shosts files |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 421 | #IgnoreRhosts yes |
| 422 | # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts |
| 423 | #RhostsRSAAuthentication no |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 424 | # similar for protocol version 2 |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 425 | #HostbasedAuthentication no |
| 426 | # Change to yes if you don't trust ~/.ssh/known_hosts for |
| 427 | # RhostsRSAAuthentication and HostbasedAuthentication |
| 428 | #IgnoreUserKnownHosts no |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 429 | |
| 430 | # To disable tunneled clear text passwords, change to no here! |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 431 | #PasswordAuthentication yes |
| 432 | #PermitEmptyPasswords no |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 433 | |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 434 | # Change to no to disable s/key passwords |
| 435 | #ChallengeResponseAuthentication yes |
| 436 | |
| 437 | #X11Forwarding no |
| 438 | #X11DisplayOffset 10 |
| 439 | #X11UseLocalhost yes |
| 440 | #PrintMotd yes |
| 441 | #PrintLastLog yes |
| 442 | #KeepAlive yes |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 443 | #UseLogin no |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 444 | UsePrivilegeSeparation $privsep_used |
| 445 | #Compression yes |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 446 | |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 447 | #MaxStartups 10 |
| 448 | # no default banner path |
| 449 | #Banner /some/path |
| 450 | #VerifyReverseMapping no |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 451 | |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 452 | # override default of no subsystems |
Damien Miller | aba690c | 2001-11-12 10:36:21 +1100 | [diff] [blame] | 453 | Subsystem sftp /usr/sbin/sftp-server |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 454 | EOF |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 455 | elif [ "$privsep_configured" != "yes" ] |
| 456 | then |
| 457 | echo >> ${SYSCONFDIR}/sshd_config |
| 458 | echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 459 | fi |
| 460 | |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 461 | # Care for services file |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 462 | if [ $_nt -gt 0 ] |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 463 | then |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 464 | _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" |
| 465 | _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$" |
| 466 | else |
| 467 | _wservices="${WINDIR}\\SERVICES" |
| 468 | _wserv_tmp="${WINDIR}\\SERV.$$" |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 469 | fi |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 470 | _services=`cygpath -u "${_wservices}"` |
| 471 | _serv_tmp=`cygpath -u "${_wserv_tmp}"` |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 472 | |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 473 | mount -t -f "${_wservices}" "${_services}" |
| 474 | mount -t -f "${_wserv_tmp}" "${_serv_tmp}" |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 475 | |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 476 | # Remove sshd 22/port from services |
| 477 | if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 478 | then |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 479 | grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" |
| 480 | if [ -f "${_serv_tmp}" ] |
| 481 | then |
| 482 | if mv "${_serv_tmp}" "${_services}" |
| 483 | then |
| 484 | echo "Removing sshd from ${_services}" |
| 485 | else |
| 486 | echo "Removing sshd from ${_services} failed\!" |
| 487 | fi |
| 488 | rm -f "${_serv_tmp}" |
| 489 | else |
| 490 | echo "Removing sshd from ${_services} failed\!" |
| 491 | fi |
| 492 | fi |
| 493 | |
| 494 | # Add ssh 22/tcp and ssh 22/udp to services |
| 495 | if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] |
| 496 | then |
| 497 | awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 498 | if [ -f "${_serv_tmp}" ] |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 499 | then |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 500 | if mv "${_serv_tmp}" "${_services}" |
| 501 | then |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 502 | echo "Added ssh to ${_services}" |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 503 | else |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 504 | echo "Adding ssh to ${_services} failed\!" |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 505 | fi |
| 506 | rm -f "${_serv_tmp}" |
| 507 | else |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 508 | echo "Adding ssh to ${_services} failed\!" |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 509 | fi |
| 510 | fi |
| 511 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 512 | umount "${_services}" |
| 513 | umount "${_serv_tmp}" |
| 514 | |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 515 | # Care for inetd.conf file |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 516 | _inetcnf="${SYSCONFDIR}/inetd.conf" |
| 517 | _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 518 | |
| 519 | if [ -f "${_inetcnf}" ] |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 520 | then |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 521 | # Check if ssh service is already in use as sshd |
| 522 | with_comment=1 |
| 523 | grep -q '^[ \t]*sshd' "${_inetcnf}" && with_comment=0 |
| 524 | # Remove sshd line from inetd.conf |
| 525 | if [ `grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ] |
| 526 | then |
| 527 | grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}" |
| 528 | if [ -f "${_inetcnf_tmp}" ] |
| 529 | then |
| 530 | if mv "${_inetcnf_tmp}" "${_inetcnf}" |
| 531 | then |
| 532 | echo "Removed sshd from ${_inetcnf}" |
| 533 | else |
| 534 | echo "Removing sshd from ${_inetcnf} failed\!" |
| 535 | fi |
| 536 | rm -f "${_inetcnf_tmp}" |
| 537 | else |
| 538 | echo "Removing sshd from ${_inetcnf} failed\!" |
| 539 | fi |
| 540 | fi |
| 541 | |
| 542 | # Add ssh line to inetd.conf |
| 543 | if [ `grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ] |
| 544 | then |
| 545 | if [ "${with_comment}" -eq 0 ] |
| 546 | then |
Ben Lindstrom | c42f7cf | 2002-04-12 17:44:13 +0000 | [diff] [blame] | 547 | echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 548 | else |
Ben Lindstrom | c42f7cf | 2002-04-12 17:44:13 +0000 | [diff] [blame] | 549 | echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" |
Damien Miller | 8ac0a7e | 2001-03-07 21:38:19 +1100 | [diff] [blame] | 550 | fi |
| 551 | echo "Added ssh to ${_inetcnf}" |
| 552 | fi |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 553 | fi |
| 554 | |
Ben Lindstrom | a582029 | 2001-07-18 16:25:41 +0000 | [diff] [blame] | 555 | # On NT ask if sshd should be installed as service |
| 556 | if [ $_nt -gt 0 ] |
| 557 | then |
| 558 | echo |
| 559 | echo "Do you want to install sshd as service?" |
| 560 | if request "(Say \"no\" if it's already installed as service)" |
| 561 | then |
| 562 | echo |
| 563 | echo "Which value should the environment variable CYGWIN have when" |
| 564 | echo "sshd starts? It's recommended to set at least \"ntsec\" to be" |
| 565 | echo "able to change user context without password." |
| 566 | echo -n "Default is \"binmode ntsec tty\". CYGWIN=" |
| 567 | read _cygwin |
| 568 | [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" |
| 569 | if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" |
| 570 | then |
Ben Lindstrom | 6dbf300 | 2002-07-03 23:33:19 +0000 | [diff] [blame] | 571 | chown system /${SYSCONFDIR}/ssh* |
Ben Lindstrom | a582029 | 2001-07-18 16:25:41 +0000 | [diff] [blame] | 572 | echo |
| 573 | echo "The service has been installed under LocalSystem account." |
| 574 | fi |
| 575 | fi |
| 576 | fi |
| 577 | |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 578 | if [ "${old_install}" = "1" ] |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 579 | then |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 580 | echo |
| 581 | echo "Note: If you have used sshd as service or from inetd, don't forget to" |
| 582 | echo " change the path to sshd.exe in the service entry or in inetd.conf." |
Kevin Steves | 9be6e26 | 2000-10-29 19:18:49 +0000 | [diff] [blame] | 583 | fi |
| 584 | |
| 585 | echo |
Ben Lindstrom | b100ec9 | 2001-01-19 05:37:32 +0000 | [diff] [blame] | 586 | echo "Host configuration finished. Have fun!" |